Re: Allowing Mail from an appliance &/or other Mail server

---

• From: "Bharat Suneja [MVP]" <bharatsuneja@xxxxxxxxxxx>
• Date: Mon, 24 Jul 2006 15:31:14 -0700

---

Yes, and disable anonymous access.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"flash" <flash@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F3F75850-23D5-4641-9635-56CABD3494FF@xxxxxxxxxxxxxxxx

On the incoming email from this other mail server to Exchange -
authentication will not be possible. I will need to turn on anonymous on
this virtual server and restrict by the ip address for the security.
Anything else to lock it down for outgoing, etc? Should I prevent this
virtual server from sending email somehow or from performing any other
functions?

I still need users to access this server with pop3/Imap. So I would
create
another SMTP virtual server and leave authentication on. This way only
authenticated users could send email through this server - right?

Thanks

"Bharat Suneja [MVP]" wrote:

Thanks for the details... what you are trying to do is lock down Exchange
so
it can only receive inbound mail from a single IP address (and perhaps
sends
outbound email through that IP address only). This can easily be
accomplished by limiting which IP addresses can connect to your SMTP
virtual
server on smtp port 25.

- SMTP virtual server | properties | Access tab | Connection -> change
from
the default "All except the list below" to "Only the list below" and add
the
IP address of the server you want to receive mail from.

Outlook users do not need smtp connectivity to Exchange servers - they
communicate with Exchange using RPC/MAPI.

If you have users that use POP3/IMAP clients to access their mailboxes,
you
have two choices:
- turn authentication on for your default smtp virtual server, and allow
only authenticated connections. In this case, you should not implement
the
IP connectivity restriction discussed above, and have the sending host of
your smtp relay server configured to authenticate as well. The IMAP4/POP3
clients will need to authenticate as well to relay mail.

If that server is located at an ISP and authentication is not possible,
implement the IP connection restriction as discussed above, and create a
second SMTP virtual server for your IMAP4/POP3 clients. Configure this
virtual server to authenticate. You can either use a different IP
address,
or use a different port on the same IP address for this new SMTP virtual
server. Optionally, you can install a certificate and encrypt these
messages
as well.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"flash" <flash@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1F79FC1-54C1-47BE-BB65-B463CF809F99@xxxxxxxxxxxxxxxx

Do we need (2) SMTP Virtual Servers? If one has anonymous on, how is
security
enhanced with the 2nd virtual server? [If I do not have to authenticate
because anonymous is on what am I gaining with the 2nd virtual server?]
Would
I then need a separate ip address for the 2nd virtual server? Do we
need
any
connectors?

What I would like to be able to do is lock down Exchange as best as
possible
with security. Exchange needs to be able to receive email from a
specific
ip
address (another Internet Messaging Server) and then users have to
authenticate to Exchange in order to receive/send email.

I want to be able to tell Exchange accepting mail from this source is
okay
(and other criteria that makes it secure) and then use the security
with
the
remote users.


"Bharat Suneja [MVP]" wrote:

If you want to continue receiving internet mail on that SMTP virtual
server,
you have to allow anonymous.

If you want only authenticated (and perhaps even encrypted) SMTP
connections, but still want to continue receiving normal internet
mail,
you
should create a separate SMTP virtual for the authenticated
connections.
This is typically done when you have either remote users who need SMTP
relaying capability (remote POP3/IMAP4 users), or when setting up
secure
SMTP connections to exchange mail with partners or within business
units.
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"flash" <flash@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A2CFF669-80FF-498B-A48E-EB4C5E98D901@xxxxxxxxxxxxxxxx

So there is no way to lock down the annonymous? All or nothing?


"Bharat Suneja [MVP]" wrote:

SMTP virtual servers are configured to accept anonymous connections
by
default - else they wouldn't be able to receive any internet mail.

If you also want that IP to be able to relay, you will need to add
its
ip
address to list of hosts allowed to relay (smtp vs properties |
access
|
relay).
--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


"flash" <flash@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:82B33167-0B33-4792-A79C-C6E2AF914C22@xxxxxxxxxxxxxxxx

How can I tell Exchange 2003 Enterprise Server to accept mail
from a
specific
ip address without having to turn on allow annonymous on the SMTP
virtual
connector? Obviously I do not want to leave the annonymous on and
want
to
be
able to tell Exchange to accept mail from a specific source (by
IP.)
We
have
an external email server and want to forward the email to the
Exchange
Server
- users will have the same email address on both servers. Any
help
appreciated.

.

---

• References:
  • Re: Allowing Mail from an appliance &/or other Mail server
    • From: Bharat Suneja [MVP]
  • Re: Allowing Mail from an appliance &/or other Mail server
    • From: Bharat Suneja [MVP]
  • Re: Allowing Mail from an appliance &/or other Mail server
    • From: flash
  • Re: Allowing Mail from an appliance &/or other Mail server
    • From: Bharat Suneja [MVP]
  • Re: Allowing Mail from an appliance &/or other Mail server
    • From: flash

• Prev by Date: OWA Front End issues - a few of them
• Next by Date: Re: Exchange 2003 SP1 and Active Sync
• Previous by thread: Re: Allowing Mail from an appliance &/or other Mail server
• Next by thread: Re: Connecting to Exchange from branch office
• Index(es):
  • Date
  • Thread

---

Relevant Pages [NT] Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (MS03-046) ... Get your security news from a reliable source. ... In Exchange Server 5.5, a security vulnerability exists in the Internet ... an unauthenticated attacker to connect to the SMTP port on an Exchange ... (Securiteam) RE: SMTP error (only from Outlook) ... This issue appeared on specify user or all SMTP clients? ... If yes, in Exchange System ... Is there any local bridgehead server listed in "Local ... to over three dozen open relay block lists. ... (microsoft.public.windows.server.sbs) RE: strange email errors ... you to check the relay configuration on the SBS server. ... please restart the SMTP virtue server and Exchange ... Please also refer to the following steps to create a new SMTP Connector to ... (microsoft.public.windows.server.sbs) Re: Exchange issues ... Are you up to date on all your Service Packs, both Windows and Exchange? ... > all traffic on port 25 to the SBS Exhange server. ... I suspected SMTP relaying becuase ... > You should verify that the server really isn't an open relay: ... (microsoft.public.exchange2000.admin) Filtering email on ISA ... Unless you choose to create a new IIS SMTP Virtual ... Server, ordinarily you will want to Server Publish ... directly to the Exchange SMTP, ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Exchange  > microsoft.public.exchange.connectivity  > 2006-08